Thycotic’s Cyber Security Publication

Phishing Scams: Your Social Media and Email Security Checklist

March 2nd, 2017

Phishing scams are on the rise, and they surge during tax season. Phishing is the practice of sending a potential victim an email or message that looks like legitimate correspondence from the IRS, a bank, or an organization, but clicking on links within the message takes the victim to a fake website. Once on the website (which often also appears perfectly authentic) they are encouraged to ‘log in’, unintentionally revealing their personal information.

Be cautious and diligent throughout the year, but particularly during tax season, and look out for suspicious requests or emails. Security awareness is critical and we must be as relentless in our efforts to protect ourselves as scammers are in their ongoing attempts to trick us.

Recently I was the target of a phishing scam myself. It occurred via LinkedIn. Social Media scams represent more than 12% of cyber attacks, and IRS scams are already in full motion.

In this case, I received a request from a person claiming to be a Client Service Representative of a large security software company interested in business development and potential partnerships. The request was for a 15-minute phone conversation to discuss the opportunity further.

I was suspicious from the start and immediately began investigating the LinkedIn profile for authenticity and validation. I also checked the name via Google Searches to find results using various parameters for the company, education, and even city. There were no valid results. It became clear that this was a scam. Next, I gathered as much information about the profile as possible including the contact email address. I was then able to trace the contact back to a Russian email server.

To validate this I led the suspected hacker to reveal as much information about themselves as I could. We had a messaging ‘conversation’ during which, of course, they repeatedly asked for my mobile number so they could have a call. This was an attempt to get as much of my personal information as possible which would then be used to validate data. Then, most likely, it would later be used in a targeted email phishing/vishing scam.

I have since notified both LinkedIn and the company on the incident.

SOCIAL MEDIA SCAMS: Please be cautious of similar types of scams. Here are some ways to validate/check requests you receive:

1. CONNECTION REQUESTS: If you receive a request from LinkedIn or other social networks, be wary if you do not know the person or do not have any connections with the requester.

2. GOOGLE SEARCH PROFILE: Before accepting, do a quick Google search on the profile’s contact details, workplace and education. If no results are found it is highly likely a scam (fake account).

3. SHARED CONNECTION: Do you have shared connections in common with the person requesting a connection with you? If not, be suspicious of the request and do some research.

4. PHOTO SEARCH: Do a profile photo search in Google to see what the results are. If no results are returned, it is highly likely a scam.

5. CHECK EMAIL ADDRESS: If the request appears to be valid and you accept, quickly check the email account. If it is from something like bk.ru domain, then it is likely a phishing scam.

6. AUTO RESPONSES: After accepting a request you might receive an automated message. This is another indication that it may be fake as it is common to get automated responses from phishing scams.

7. ASK ADVICE: If you are uncertain ask a colleague for advice. A second, or even third opinion is worth the time it takes to get it. At very least it prevents you from accepting the request immediately and regretting it later.

8. DELETE CONNECTION: Once you’ve confirmed it’s a scam, do NOT communicate with the account. Instead, report it to the social network and remove the connection at once.

EMAIL SCAMS: Please be aware that Social Networks are just one platform. Phishing scams can also be received via email directly. In these situations, be aware of the following:

1. IS IT A VALID CONTACT? Do you know the person sending the email?

2. IS THE EMAIL ADDRESS VALID? You can usually hover over the email address to see the full domain and check if it is real.

3. DOES THE MESSAGE CONTAIN HYPERLINKS? Before clicking on any hyperlinks check the link before clicking on it. A link may mask the website to which it links. If you’re on a computer, hover over the link without clicking it and you’ll probably notice the full URL of the link’s destination in a lower corner of your browser. If the message is from your bank or another organization you use, it is best to go directly to their website by typing the URL into your browser. You can even call them to find out if the message is authentic.

4. LEAST PRIVILEGE: Use a Standard User and not Administrator when clicking on links or opening attachments.

5. SCAN ATTACHMENTS: Be cautious when opening any email attachments. If you can, scan it with your anti-virus program before opening. Note: Make sure to keep updates of all the software you use so that you have the latest security fixes running.

6. BACKUP: Make sure you have a backup of important information including, photos, software, or other files if you are infected by malware or your information may be lost forever. There are plenty of Cloud options online if you do not currently have one.

7. REPORT: Report any suspicious incidents and activity to the organization that the email appears to be from. Most companies list their contact or support information on their website so look their for contact information first.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.